The originating IP address of a client request.

Fastly reads this header from requests and writes it into requests. It is defined by an external standard.

For VCL services, Fastly will add or append X-Forwarded-For headers on incoming requests over TLS, as follows:

  • The client IP – if the request protocol is TLS.
  • The edge IP – if the origin has a TLS configuration and shielding is enabled.
  • Even if client connection is TLS, unless the origin connection is over TLS, nothing will be added or appended at the shield.


ShieldingRequest ProtocolOrigin ProtocolClient HeaderX-Forwarded-ForNote
NoTLSTLSNo210.191.60.193Added at edge
NoNon TLSTLSNonull
NoNon TLSTLSYes1.1.1.1Pass-through
NoTLSNon TLSNo210.191.60.193Added at edge
NoNon TLSNon TLSNonull
NoTLSNon TLSYes1.1.1.1,
NoNon TLSNon TLSYes1.1.1.1Pass-through
YesTLSTLSNo118.6.192.181, at edge (client IP) and shield (edge IP)
YesNon TLSTLSNo157.52.91.44Added at shield (edge IP)
YesTLSTLSYes1.1.1.1,, at edge (client IP) and shield (edge IP)
YesNon TLSTLSYes1.1.1.1, at shield (edge IP)
YesTLSNon TLSNo118.6.192.181Added at edge (client IP)
YesNon TLSNon TLSNonull
YesTLSNon TLSYes1.1.1.1, at edge (client IP)
YesNon TLSNon TLSYes1.1.1.1Pass-through

Overriding multiple entries

To set a single value for this header, add the following to vcl_miss and vcl_pass:

set bereq.http.X-Forwarded-For = client.ip;